The dominance of a single chip maker in the Android market can pose significant risks, particularly when vulnerabilities arise. A flaw in the chip could potentially impact millions of devices simultaneously. Recently, Qualcomm found itself in this situation, but the company responded quickly by issuing security patches to address a zero-day exploit. Qualcomm announced that Google’s Threat Analysis Group alerted them to several vulnerabilities impacting their Adreno GPUs.

The vulnerabilities identified include CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038. Google indicated that these flaws might have been targeted for exploitation. Qualcomm made patches available to original equipment manufacturers (OEMs) in May, urging them to deploy these updates promptly on affected devices. The first two vulnerabilities involve improper authorization within the GPU’s graphics framework, which could lead to serious memory corruption if exploited.

The third vulnerability, CVE-2025-27038, is a use-after-free bug, another form of memory corruption that allows an app to continue using memory that has already been freed, leading to potential system instability. While Qualcomm did not specify which devices are affected, users of Qualcomm chipsets should ensure they update to the latest security patch as soon as their device manufacturers release it. The open-source nature of Android means that the responsibility for issuing patches falls to device makers, which can result in varying timelines for updates among different phone models. Notably, Google confirmed that its Pixel phones are not impacted by these vulnerabilities since they are powered by Google’s own Tensor chipsets, which are built on different technology than Qualcomm’s.

This distinction allows Pixel users to avoid the associated risks altogether.